In a previously undocumented campaign that started early last year, suspected North Korean hackers used the web skimming technique to steal cryptocurrency, Group-IB cybersecurity researchers reported.
The attackers modified JavaScript code so that it replaces the victim’s crypto wallet address with the one belonging to the attackers. Cybercriminals compromised customers of at least three online stores.
Group-IB attributes the campaign to Lazarus APT, also known as Hidden Cobra, with high confidence since the threat actors used the infrastructure for web skimming activities that was attributed in the past to the North Korean APT.
One of the campaigns has been tracked by research firms since 2019 and the JS-sniffer used in the attacks pointed to Lazarus. In this campaign, known as “clientToken=”, attackers modified the malicious JS-sniffer or web skimmer – used to collect payment card details that customers enter on the checkout page – so that it replaced the store’s Bitcoin address with one they controlled.
In their report, Group-IB refers to the malicious script as Lazarus BTC Changer.
An investigation from researchers at Group-IB cybersecurity company showed that cybercriminals targeted only online shops that accepted payments in cryptocurrency.
According to the researchers, the campaign with Lazarus BTC Changer started in late February 2020.
One of the websites infected with Lazarus BTC Changer was luxmodelagency[.]com. Group-IB has also found another two compromised websites, as previously described by Sansec, Realchems and Wongs Jewellers. Only Realchems, however, accepted payments in cryptocurrency and was targeted by North Korean cybercriminals
The third victim, an Italian luxury clothes shop, had the script removed from its website by the time of analysis by Group-IB, the researchers say.
“Like all traditional JS-sniffers, Lazarus BTC Changer detects when users are on the checkout page of an infected website, but instead of collecting bank card details, it replaces the BTC or ETH address owned by the shop with an address used by the hackers,” Group-IB said.
In late March 2020, attackers added a fake payment form in the script so that the store’s BTC wallet no longer had to be replaced and the cryptocurrency would go directly to the threat actors.
While analyzing the source code of the fake payment form, the researchers found another clue pointing to North Korea. They’ve found a time signature in some files that showed “the text in Korean “그리니치 표준시” (Greenwich Mean Time), which indicates that the page was saved on the device with Korean locale.”
The small scale of the campaign, the fact that the actor did not make much money, and all outgoing transactions from the BTC addresses found in Lazarus BTC Changer went to a single address, makes researchers believe that it was just a test of a new set of tools and tactics that could be used on larger targets in the future.